Computer virus hits US Predator and Reaper drone fleet

A computer virus has infected the cockpits of America's Predator and Reaper …

A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other war zones.

The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the US military’s most important weapons system.

“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

Military network security specialists aren’t sure whether the virus and its so-called “keylogger” payload were introduced intentionally or by accident; it may be a common piece of malware that just happened to make its way into these sensitive networks. The specialists don’t know exactly how far the virus has spread. But they’re sure that the infection has hit both classified and unclassified machines at Creech. That raises the possibility, at least, that secret data may have been captured by the keylogger, and then transmitted over the public internet to someone outside the military chain of command.

Drones have become America’s tool of choice in both its conventional and shadow wars, allowing US forces to attack targets and spy on its foes without risking American lives. Since President Obama assumed office, a fleet of approximately 30 CIA-directed drones have hit targets in Pakistan more than 230 times; all told, these drones have killed more than 2,000 suspected militants and civilians, according to the Washington Post. More than 150 additional Predator and Reaper drones, under US Air Force control, watch over the fighting in Afghanistan and Iraq. American military drones struck 92 times in Libya between mid-April and late August. And late last month, an American drone killed top terrorist Anwar al-Awlaki — part of an escalating unmanned air assault in the Horn of Africa and southern Arabian peninsula.

The lion’s share of US drone missions are flown by Air Force pilots stationed at Creech, a tiny outpost in the barren Nevada desert, 20 miles north of a state prison and adjacent to a one-story casino. In a nondescript building, down a largely unmarked hallway, are a series of rooms, each with a rack of servers and a “ground control station,” or GCS. There, a drone pilot and a sensor operator sit in their flight suits in front of a series of screens. In the pilot’s hand is the joystick, guiding the drone as it soars above Afghanistan, Iraq, or some other battlefield.

Some of the GCSs are classified secret and used for conventional warzone surveillance duty. The GCSs handling more exotic operations are top secret. None of the remote cockpits are supposed to be connected to the public internet, which means they are supposed to be largely immune to viruses and other network security threats.

Use of the drives is now severely restricted throughout the military. But the base at Creech was one of the exceptions, until the virus hit. Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another. The virus is believed to have spread through these removable drives. Drone units at other Air Force bases worldwide have now been ordered to stop their use.

In the meantime, technicians at Creech are trying to get the virus off the GCS machines. It has not been easy. At first, they followed removal instructions posted on the website of the Kaspersky security firm. “But the virus kept coming back,” a source familiar with the infection says. Eventually, the technicians had to use a software tool called BCWipe to completely erase the GCS’ internal hard drives. “That meant rebuilding them from scratch” — a time-consuming effort.

The Air Force declined to comment directly on the virus. “We generally do not discuss specific vulnerabilities, threats, or responses to our computer networks, since that helps people looking to exploit or attack our systems to refine their approach,” says Lt. Col. Tadd Sholtis, a spokesman for Air Combat Command, which oversees the drones and all other Air Force tactical aircraft. “We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover.”

However, insiders say that senior officers at Creech are being briefed daily on the virus.

The virus is on a system chip more likely if they can not remove it... Finding out where its coming from will be quite a task... some firmware somewhere is most likely the issue - hence "it keeps coming back". There is always some custom hardware that contains firmware... hell it could be their flight controls...

You don't have a clue - been watching way too much Hollywood crap.

"it keeps coming back" means tech support is an idiot who tried to remove it.{HKLM,HKCU}\Software\Microsoft\Windows\CurrentVersion\Run" is where it's hiding.But even though I know that I still would not be dumb enough to try to clean it up.You don't play games with any systems you even remotely care about or depend on.Wipe them clean and be done with it - note the linux response to the recent kernel.org incident.

Virus can be hidden almost anywhere, especially if you are the one making them... Not to mention with all the latest reports of backdoor passwords in custom hardware that are never removed before they are deployed, etc... this is very likely. Hell it could be in their freaking "thustmaster" joysticks!

Just saying there are so many ways to attack something especially if you have the upper-hand.... IE you made the device...

I hate quoting wikipedia, but...

Quote:

Hardware/Firmwarehttp://en.wikipedia.org/wiki/RootkitA firmware rootkit uses device or platform firmware to create a persistent malware image in hardware, such as a network card,[44] hard drive, or the system BIOS.[24] The rootkit hides in firmware, because firmware is not usually inspected for code integrity. John Heasman demonstrated the viability of firmware rootkits in both ACPI firmware routines[45] and in a PCI expansion card ROM.[46]In October 2008, criminals tampered with European credit-card-reading machines before they were installed. The devices intercepted and transmitted credit card details via a mobile phone network.[47] In March 2009, researchers Alfredo Ortega and Anibal Sacco published details of a BIOS-level Windows rootkit that was able to survive disk replacement and operating system re-installation.[48][49][50] A few months later they found that some laptops are sold with a legitimate rootkit, known as CompuTrace or LoJack for Laptops, preinstalled in the BIOS. This is an anti–theft technology system that researchers showed can be turned to malicious purposes.[51]

I find it surprising the military doesn't have images they can reload in a half an hour. Wouldn't secure backups be a priority of and for national security?

I don't know about the military but as a federal employee under the DHS umbrella myself, the amount of idiots that seem to inhabit our IT departments (to include security) should never be under-estimated.

Maybe not in the "make stuff go BOOM!" sense, but I'd say a keylogger on those systems poses a significant threat to US national security...

LobsterMobster wrote:

It was just a matter of time before this happened. It's also just a matter of time before there's a new virus that inputs new instructions, new targets, new communication protocols...

This is why we'll never get rid of manned aircraft. It's hard to hijack a fighter out from underneath its pilot.

You do know that most modern military planes are controlled electronically right? And I can guarantee you that they get a constant stream of data flowing in. Of course one can hope they are smart enough to isolate the fly-by-wire systems from the systems getting live weather updates and intel (and thus potentially exploits), but there are probably some very real advantages to integration that makes it a very tempting move.

Given how many problems ordinary people have day in, day out with Windows just trying to do mundane tasks such as surfing the internet, writing and printing documents etc.

Ugh, this is SO pretentious and completely untrue, I think I might vomit if I have to read one more snobby comment about all of the problems I have with Windows. I don't, nor have I ever had the problems you made up. And in case you hadn't noticed, all of that activity and work going on all around you all over the world, it's performed with Windows.

But what would I know right, I'm just a dope sitting in front of my computer scratching my head.

I´m genuinely confused here. They have a virus and Kaspersky doesn´t know what to do... does that mean they´re actually using WINDOWS to run these machines and, thus, these operations?

I strongly assume that´s not the case, but the whole scenario sounds so.. well... windows-ish......

The military runs on Windows. The push for COTS is decades old at this point. Why is this a surprise? Did you expect them to buy Macs instead? Big Unix shops charge and arm and a leg and don't have equipment in the right form factors (ruggedized, low power, handheld, etc...) and have their own issues.

Wow. Just.... wow.

I always assumed that Windows was out of the question as the OS of choice -- due to its countless security problems both in the present and the past -- when it comes to such extremely crucial operations as the ones described in the article.

My bet would have been on some customized, super-secret OS based on BSD or AIX or some other esoterical stuff.

Given how many problems ordinary people have day in, day out with Windows just trying to do mundane tasks such as surfing the internet, writing and printing documents etc. , it really boggles the mind that Windows is also used for military operations where people can get killed.

So wait, there is a virus, infecting a critical piece of our military infrastructure - we know that the virus is there, we don't know where it comes from or what it's doing - we aren't able to remove it, and we keep using systems infected by this virus?

Not knowing the virus is there at all would be one thing, incompetent, but understandable, but this takes incompetence to a whole new level.

the Pentagon assumed that their adversaries in the Middle East and Central Asia wouldn’t have the smarts to tap into the communications link.

SNAFUs have been part of military life as long as there's been military life, even if the acronym is less than a century old. But this sort of mindless hubris and negligent underestimation of the adversary… is historically consistent with empires that have catastrophically over-reached (Germany invading the USSR, the USSR invading Afghanistan, for two recent examples) and are, by doing so, sealing their own fate.

That being said, when I was in the Navy we did use Windows on a lot of stuff. However I would've figured a Predator control station to be kinda like a radar console. Hardware running software baked right into the chips with software updates coming across an archaic serial connection or a swap of EEPROMS.

And finally, I charge $125 an hour. I will will gladly remove the virus for them. Hell my clearance is probably still good too.

While this was inevitable, it is disturbing that it happens while we are *not* seriously engaged in a shooting war with an adversary with a well-equipped adversary bent on neutralizing our defenses during major territory acquisition.

While this was inevitable, it is disturbing that it happens while we are *not* seriously engaged in a shooting war with an adversary with a well-equipped adversary bent on neutralizing our defenses during major territory acquisition.

This my friend is why we were never stupid and dis-mantled our nuclear arsenal. A 2 mile high mushroom cloud makes for one helluva a deterrent wouldn't ya say? Here's a thought:

Strategic Surgical Nuclear Carpet Bombing. For when you absolutely have to get rid of every mofo on your list.

My suggestion: No other connections to the outside world other then USB allowed.

The OS is configured to refuse to copy/store or run *anything* that aren't signed with the right keys, including from the USB drive (a virus can't even begin to run). This should be combined with a proper HIPS (Comodo CIS is close when "system protection" are on highest security level).

To sign files: There's a special machine that does NOTHING other then to sign files from USB drives. It also can not run or copy/store anything at all from USB drives, but it can generate signatures for the files. It should have several hyper-paranoid antiviruses, plus it should also be configured to ask which computers the files are intended for - for some computers, you'll *only* want files of a certain format, *properly* made (like XML files) according to certain rules.It will refuse to sign files that do not match these rules, and those machines will also not run anything that's not signed *intended for them* (those higher security systems could have their own keypair that they look for signatures from).That computer always reset completely from scratch after every use, it shall not have ANY local storage (and again, it never runs external code). Read-only memory locally on the signing machine.

While this was inevitable, it is disturbing that it happens while we are *not* seriously engaged in a shooting war with an adversary with a well-equipped adversary bent on neutralizing our defenses during major territory acquisition.

This my friend is why we were never stupid and dis-mantled our nuclear arsenal. A 2 mile high mushroom cloud makes for one helluva a deterrent wouldn't ya say? Here's a thought:

Strategic Surgical Nuclear Carpet Bombing. For when you absolutely have to get rid of every mofo on your list.

I'd say the risk is larger that they use those nukes *against* them. Can you imagine a whole fleet of US nukes coming from all over flying towards the White House?

Yea, a wipe & reload is probably best by now...but it will probably literally take days to rebuild a single GCS. These aren't your basic Windows or Linux boxes, they have crap tons of customized stuff on them, and the software itself when installed often needs very time consuming configuration before you can even start connecting it to other things to test that it's all working.

When I was in the USAF I used to have to load a few systems for a testing lab. Trust me, an entire day could be spent sitting there with 2 or 3 machines with the load manual sitting open in front of each one simply loading the software before we could even start hooking it up. Nearly all of this software is put together by contractors (Lockheed, Boeing, etc).

I've never worked with the AF, but is there some reason restoring these systems from an image isn't feasible? Why do you have to go through manual installation garbage?

This is why we'll never get rid of manned aircraft. It's hard to hijack a fighter out from underneath its pilot.

Three words: fly by wire.

Fly by wire can be disengaged.

On a modern fighter/bomber jet?I'm no expert, but I highly doubt that - can humans even fly an F16 or more recent plane without computer adjustments to keep it stable?

You're quite right, onkeljonas. On a true fly-by-wire (FBW) system, there *are* no mechanical links between the stick/control column and the flight control surfaces. In the F-16 example you cite, the aircraft is statically unstable - "disengaging" the FBW (even if it were possible) would result in the airplane swapping ends and there's little or nothing the pilot could do about it. FBW does not *necessarily* imply an unstable aircraft, though. The majority of Airbus airliners are FBW, and the 787 is Boeing's first FBW airplane for all three control axe. All of those aircraft are stable in the conventional sense. FBW is used both to save the weight of mechanical control runs, and to allow better integration of the flight computers into the system. Some of the earlier Airbus aircraft had mechanical backup systems to the FBW controls, but no longer. You can't disengage them in-flight, since there's nothing else to control the aircraft.

The Air Force declined to comment directly on the virus. “We generally do not discuss specific vulnerabilities, threats, or responses to our computer networks, since that helps people looking to exploit or attack our systems to refine their approach,” says Lt. Col. Tadd Sholtis, a spokesman for Air Combat Command, which oversees the drones and all other Air Force tactical aircraft. “We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover.”